Solving the people problem in IT security

March 30, 20173 Minute Read

Select article text below to share directly to Twitter!

Dismiss

Humans remain the largest challenge in protecting organizations. Still, there are plenty of ways security professionals can help them get to—and stay on—the right path.

Despite the best advice of IT professionals, employees remain the largest security risk for organizations to contain. There’s no quick fix for the so-called “people problem,” where individual employees circumvent or flat-out ignore known security best practices. It’s a costly way of doing business, but the situation is not entirely hopeless. I’ve found there are a few ways to get employees and security professionals on the same page.

It’s just human nature

No employee wants to be the problem child. They follow IT’s instructions about what to download and how to use company devices, but complacency sets in over time. Without security being top of mind, clicking links from unknown senders or downloading a coupon seems harmless. Holding the door open to allow an unknown person to follow you into the building seems courteous. But these seemingly innocent activities introduce risk. When IT isn’t actively sounding the alarm, employees aren’t actively protecting the business.

Constant vigilance. Constant action.

The answer to the people problem is, simply enough, people. An organization’s security is everyone’s responsibility. That means security professionals and employees must work together. Here are some tips both parties can follow.

For employees:

  1. Be cautious with your email. If messages look too good to be true, or if you don’t know who they’re coming from, don’t click anything.
  2. Use the tools you have. Follow the existing guidelines and corporate encryption policies to protect the data you’re sharing around the organization.
  3. Take it seriously. Don’t take shortcuts. Corporate policies may seem like they’re just adding extra work, but there’s usually a reason to require the extra steps.

For security professionals:

  1. Implement awareness campaigns. Get the word out there constantly. Put posters on the walls and hold ongoing seminars. Security should be an open topic users feel empowered to ask questions about.
  2. Reward good behavior. Incentive programs can be effective. Test employees by sending phishing emails and reward people who don’t click.
  3. Share the losses. Communicate what a breach could cost. Explain how supporting security can actually add to the bottom line of the company.
  4. Demystify IT. Too often, employees don’t even know who their security team is or what they really do. Create a dialogue between the security team and other employees; have them share stories and connect with the rest of the company.

Security professionals have additional undercover tools available to help them contain internal security risks. For example, IT can compartmentalize networks to make sure no one has full and complete access. Additionally, monitoring tools allow visibility into everything that touches the network. Teams can be reviewing websites as they’re accessed, looking for signatures and valid security certificates. Security tools also provide ways of sharing information about websites visited and traffic coming back from those sites to look for signs of malware that may be coming in the door.

Still, there’s a lot of opportunity to work on internal security management. General security practices tend to focus on what’s coming at the company, rather than what’s going on inside the company. It’s time to start investing in that more.

Assess and get started

Finally, security teams won’t know how well they’re doing without a baseline. Let’s say there are 35,000 attempts on a company and 200 get through. Keep a record of that information. A proper benchmark should also track internal employee mistakes, including opening phishing emails, clicking on corrupt websites, or documents printed but never picked up, to determine how many breaches are occurring from those behaviors. By keeping a record of that data, security teams can track their progress over time.

When you approach security as a business issue, and not just an IT issue, it reinforces the importance of security to all employees. Including security as part of the ongoing company conversation will keep it top of mind, making it part of everyday business operations. Security professionals have an army of employees capable of helping in the fight against cyber attacks. They just have to enlist them.

  • Recommended for you
  • Recommended for You